CVE-2021-41272

Name of the Vulnerable Software and Affected Versions Besu versions 21.10.0 through 21.10.1

Description The issue is related to a signed type coercion error in the implementation of the SHL, SHR, and SAR operations in Besu, an Ethereum client written in Java. This error occurs when smart contracts ask for shifts between approximately 2 billion and 4 billion bits, which are nonsensical but valid values for the operation. As a result, these contracts will fail to execute and validate. In networks where vulnerable versions are mining with other clients or non-vulnerable versions, this will result in a fork, and the relevant transactions will not be included in the fork. In networks where only vulnerable versions are mining, the relevant transactions will not be included in any blocks. Once a transaction with the relevant shift operations is included in the canonical chain, the only remediation is to ensure all nodes are on non-vulnerable versions.

Recommendations For Besu versions 21.10.0 through 21.10.1, update to Besu 21.10.2, which contains a patch for this issue. As an alternative, clients can roll back to Besu 21.7.4, which is not vulnerable. As a temporary workaround, ensure all nodes are on non-vulnerable versions once a transaction with the relevant shift operations is included in the canonical chain.